HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

181

182

183

184

185

186

187

188

189

190

3-126

HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS

Step 3: Respond to Threats

You can delete an alert by completing the following steps:

1. Open Policy Manager by clicking Tools > Policy Manager.

2. In the navigation tree, click the arrow next to Alerts and Security.

3. In the navigation tree, select Non-ProCurve Security Devices.

4. In the right pane, select the alert and click Delete.

5. Click Apply.

6. Click Close if you do not need to make any other configuration changes in Policy Manager.

Step 3: Respond to Threats

This section discusses the activities you might engage to define actions for NIM events that are

related to third-party security devices. These activities follow the “Respond to threats” phase

of the security management life cycle (see Figure 3-1 on page 3-4), and they match the design

steps discussed in Chapter 4: “Design” in the HP ProCurve Threat Management Solution

Design Guide. That is, if you are following the steps in the design guide, this section will guide

you through the activities that accomplish the respond to threats step.

First Time Through the Process

The first time through the process, you have two choices:

■ Skip this step

■ Ensure policy execution is disabled

Skip This Step

The first time you go through the security management life cycle, ProCurve recommends that

you skip this step and go to “Step 4: Analyze Events” on page 3-144. This first time you are just

establishing the baseline level of potential threat activity on your network, and you are not yet

ready to have NIM or a third-party security device take any action against those threats. You

can then become familiar with all the potential threats and activities on your network. You can

then take better-coordinated actions than if you start responding to every potential threat from

the outset.

Ensure Policy Execution Is Disabled

Alternatively, if you decide to set up actions and policies the first time you go through the

process, ProCurve strongly recommends that you disable policy execution. (This is the default

setting, but you should ensure that no one has changed it.) You will be able to verify that NIM

and your third-party security device detect threats but defer actual execution of the responses

until you have a better understanding of the potential threat activity on your network.

You can quickly determine whether or not this setting is enabled or disabled by looking at the

bottom right corner of any PCM+ window. In Figure 3-136, for example, you can see the words

“Policy configuration actions disabled.” The setting is disabled.